Token based communication

ABSTRACT

A method for authorizing I/O (input/output) commands in a storage cluster is provided. The method includes generating a token responsive to an authority initiating an I/O command, wherein the token is specific to assignment of the authority and a storage node of the storage cluster. The method includes verifying the I/O command using the token, wherein the token includes a signature confirming validity of the token and wherein the token is revocable.

BACKGROUND

Solid-state memory, such as flash, is currently in use in solid-statedrives (SSD) to augment or replace conventional hard disk drives (HDD),writable CD (compact disk) or writable DVD (digital versatile disk)drives, collectively known as spinning media, and tape drives, forstorage of large amounts of data. Flash and other solid-state memorieshave characteristics that differ from spinning media. Yet, manysolid-state drives are designed to conform to hard disk drive standardsfor compatibility reasons, which makes it difficult to provide enhancedfeatures or take advantage of unique aspects of flash and othersolid-state memory. In a storage cluster environment, it may bedifficult to verify communications between storage nodes, or suchverification may consume excessive communication bandwidth betweenstorage nodes.

It is within this context that the embodiments arise.

SUMMARY

In some embodiments, a method for authorizing I/O (input/output)commands in a storage cluster is provided. The method includesgenerating a token responsive to an authority initiating an I/O command,wherein the token is specific to assignment of the authority and astorage node of the storage cluster. The method includes verifying theI/O command using the token, wherein the token includes a signatureconfirming validity of the token and wherein the token is revocable.

In some embodiments, a storage cluster that authorizes I/O(input/output) commands with I/O tokens is provided. The storage clusterincludes a plurality of storage nodes coupled to form the storagecluster. Each of the plurality of storage nodes has one or more storageunits and each of the one or more storage units has random-access memory(RAM) and non-volatile solid-state storage memory. At least a subset ofthe plurality of storage nodes has one or more authorities configured toissue I/O commands and generate tokens, wherein a token accompanies eachI/O command. The token is specific to an authority issuing the I/Ocommand and specific to the storage node having the authority. Each ofthe one or more storage units is configured to verify the I/O commandsusing the token. The token includes a signature confirming validity ofthe token and the token is revocable.

In some embodiments, a storage node that authorizes I/O (input/output)commands in a storage cluster is provided. The storage node includes aprocessor and one or more storage units having random-access memory(RAM) and non-volatile solid-state storage memory. The processor of thestorage node is configured to issue an I/O command with a token onbehalf of an authority in the storage node, wherein the token isspecific to the storage node and the authority, the token has asignature confirming validity of the token and wherein the token isrevocable.

Other aspects and advantages of the embodiments will become apparentfrom the following detailed description taken in conjunction with theaccompanying drawings which illustrate, by way of example, theprinciples of the described embodiments.

BRIEF DESCRIPTION OF THE DRAWINGS

The described embodiments and the advantages thereof may best beunderstood by reference to the following description taken inconjunction with the accompanying drawings. These drawings in no waylimit any changes in form and detail that may be made to the describedembodiments by one skilled in the art without departing from the spiritand scope of the described embodiments.

FIG. 1 is a perspective view of a storage cluster with multiple storagenodes and internal storage coupled to each storage node to providenetwork attached storage, in accordance with some embodiments.

FIG. 2 is a block diagram showing an interconnect switch couplingmultiple storage nodes in accordance with some embodiments.

FIG. 3 is a multiple level block diagram, showing contents of a storagenode and contents of one of the non-volatile solid state storage unitsin accordance with some embodiments.

FIG. 4 depicts a storage node sending an I/O command to a storage unit,which verifies the I/O command based on contents of an accompanyingsigned token in accordance with some embodiments.

FIG. 5 shows relationships of the token to the I/O command, the storagenode, the authority executing in the storage node, and signers of thetoken in accordance with some embodiments.

FIG. 6 shows storage nodes voting to replace an authority in accordancewith some embodiments.

FIG. 7 shows assignment of an authority to a new storage node, as areplacement authority in accordance with some embodiments.

FIG. 8 is a flow diagram of a method for authorizing I/O commands, whichcan be practiced in the storage cluster of FIG. 1 in accordance withsome embodiments.

FIG. 9 is an illustration showing an exemplary computing device whichmay implement the embodiments described herein.

DETAILED DESCRIPTION

The embodiments below describe a storage cluster that stores user data,such as user data originating from one or more user or client systems orother sources external to the storage cluster. The storage clusterdistributes user data across storage nodes housed within a chassis,using erasure coding and redundant copies of metadata. Erasure codingrefers to a method of data protection or reconstruction in which data isstored across a set of different locations, such as disks, storage nodesor geographic locations. Flash memory is one type of solid-state memorythat may be integrated with the embodiments, although the embodimentsmay be extended to other types of solid-state memory or other storagemedium, including non-solid state memory. Control of storage locationsand workloads are distributed across the storage locations in aclustered peer-to-peer system. Tasks such as mediating communicationsbetween the various storage nodes, detecting when a storage node hasbecome unavailable, and balancing I/Os (inputs and outputs) across thevarious storage nodes, are all handled on a distributed basis. Data islaid out or distributed across multiple storage nodes in data fragmentsor stripes that support data recovery in some embodiments. Ownership ofdata can be reassigned within a cluster, independent of input and outputpatterns. This architecture described in more detail below allows astorage node in the cluster to fail, with the system remainingoperational, since the data can be reconstructed from other storagenodes and thus remain available for input and output operations. Invarious embodiments, a storage node may be referred to as a clusternode, a blade, or a server.

The storage cluster is contained within a chassis, i.e., an enclosurehousing one or more storage nodes. A mechanism to provide power to eachstorage node, such as a power distribution bus, and a communicationmechanism, such as a communication bus that enables communicationbetween the storage nodes are included within the chassis. The storagecluster can run as an independent system in one location according tosome embodiments. In one embodiment, a chassis contains at least twoinstances of both the power distribution and the communication bus whichmay be enabled or disabled independently. The internal communication busmay be an Ethernet bus, however, other technologies such as PeripheralComponent Interconnect (PCI) Express, InfiniBand, and others, areequally suitable. The chassis provides a port for an externalcommunication bus for enabling communication between multiple chassis,directly or through a switch, and with client systems. The externalcommunication may use a technology such as Ethernet, InfiniBand, FibreChannel, etc. In some embodiments, the external communication bus usesdifferent communication bus technologies for inter-chassis and clientcommunication. If a switch is deployed within or between chassis, theswitch may act as a translation between multiple protocols ortechnologies. When multiple chassis are connected to define a storagecluster, the storage cluster may be accessed by a client using eitherproprietary interfaces or standard interfaces such as network filesystem (NFS), common internet file system (CMS), small computer systeminterface (SCSI) or hypertext transfer protocol (HTTP). Translation fromthe client protocol may occur at the switch, chassis externalcommunication bus or within each storage node.

Each storage node may be one or more storage servers and each storageserver is connected to one or more non-volatile solid state memoryunits, which may be referred to as storage units. One embodimentincludes a single storage server in each storage node and between one toeight non-volatile solid state memory units, however this one example isnot meant to be limiting. The storage server may include a processor,dynamic random access memory (DRAM) and interfaces for the internalcommunication bus and power distribution for each of the power buses.Inside the storage node, the interfaces and storage unit share acommunication bus, e.g., PCI Express, in some embodiments. Thenon-volatile solid state memory units may directly access the internalcommunication bus interface through a storage node communication bus, orrequest the storage node to access the bus interface. The non-volatilesolid state memory unit contains an embedded central processing unit(CPU), solid state storage controller, and a quantity of solid statemass storage, e.g., between 2-32 terabytes (TB) in some embodiments. Anembedded volatile storage medium, such as DRAM, and an energy reserveapparatus are included in the non-volatile solid state memory unit. Insome embodiments, the energy reserve apparatus is a capacitor,super-capacitor, or battery that enables transferring a subset of DRAMcontents to a stable storage medium in the case of power loss. In someembodiments, the non-volatile solid state memory unit is constructedwith a storage class memory, such as phase change or magnetoresistiverandom access memory (MRAM) that substitutes for DRAM and enables areduced power hold-up apparatus.

One of many features of the storage nodes and non-volatile solid statestorage is the ability to proactively rebuild data in a storage cluster.The storage nodes and non-volatile solid state storage can determinewhen a storage node or non-volatile solid state storage in the storagecluster is unreachable, independent of whether there is an attempt toread data involving that storage node or non-volatile solid statestorage. The storage nodes and non-volatile solid state storage thencooperate to recover and rebuild the data in at least partially newlocations. This constitutes a proactive rebuild, in that the systemrebuilds data without waiting until the data is needed for a read accessinitiated from a client system employing the storage cluster. These andfurther details of the storage memory and operation thereof arediscussed below.

FIG. 1 is a perspective view of a storage cluster 160, with multiplestorage nodes 150 and internal solid-state memory coupled to eachstorage node to provide network attached storage or storage areanetwork, in accordance with some embodiments. A network attachedstorage, storage area network, or a storage cluster, or other storagememory, could include one or more storage clusters 160, each having oneor more storage nodes 150, in a flexible and reconfigurable arrangementof both the physical components and the amount of storage memoryprovided thereby. The storage cluster 160 is designed to fit in a rack,and one or more racks can be set up and populated as desired for thestorage memory. The storage cluster 160 has a chassis 138 havingmultiple slots 142. It should be appreciated that chassis 138 may bereferred to as a housing, enclosure, or rack unit. In one embodiment,the chassis 138 has fourteen slots 142, although other numbers of slotsare readily devised. For example, some embodiments have four slots,eight slots, sixteen slots, thirty-two slots, or other suitable numberof slots. Each slot 142 can accommodate one storage node 150 in someembodiments. Chassis 138 includes flaps 148 that can be utilized tomount the chassis 138 on a rack. Fans 144 provide air circulation forcooling of the storage nodes 150 and components thereof, although othercooling components could be used, or an embodiment could be devisedwithout cooling components. A switch fabric 146 couples storage nodes150 within chassis 138 together and to a network for communication tothe memory. In an embodiment depicted in FIG. 1, the slots 142 to theleft of the switch fabric 146 and fans 144 are shown occupied by storagenodes 150, while the slots 142 to the right of the switch fabric 146 andfans 144 are empty and available for insertion of storage node 150 forillustrative purposes. This configuration is one example, and one ormore storage nodes 150 could occupy the slots 142 in various furtherarrangements. The storage node arrangements need not be sequential oradjacent in some embodiments. Storage nodes 150 are hot pluggable,meaning that a storage node 150 can be inserted into a slot 142 in thechassis 138, or removed from a slot 142, without stopping or poweringdown the system. Upon insertion or removal of storage node 150 from slot142, the system automatically reconfigures in order to recognize andadapt to the change. Reconfiguration, in some embodiments, includesrestoring redundancy and/or rebalancing data or load.

Each storage node 150 can have multiple components. In the embodimentshown here, the storage node 150 includes a printed circuit board 158populated by a CPU 156, i.e., processor, a memory 154 coupled to the CPU156, and a non-volatile solid state storage 152 coupled to the CPU 156,although other mountings and/or components could be used in furtherembodiments. The memory 154 has instructions which are executed by theCPU 156 and/or data operated on by the CPU 156. As further explainedbelow, the non-volatile solid state storage 152 includes flash or, infurther embodiments, other types of solid-state memory.

Referring to FIG. 1, storage cluster 160 is scalable, meaning thatstorage capacity with non-uniform storage sizes is readily added, asdescribed above. One or more storage nodes 150 can be plugged into orremoved from each chassis and the storage cluster self-configures insome embodiments. Plug-in storage nodes 150, whether installed in achassis as delivered or later added, can have different sizes. Forexample, in one embodiment a storage node 150 can have any multiple of 4TB, e.g., 8 TB, 12 TB, 16 TB, 32 TB, etc. In further embodiments, astorage node 150 could have any multiple of other storage amounts orcapacities. Storage capacity of each storage node 150 is broadcast, andinfluences decisions of how to stripe the data. For maximum storageefficiency, an embodiment can self-configure as wide as possible in thestripe, subject to a predetermined requirement of continued operationwith loss of up to one, or up to two, non-volatile solid state storageunits 152 or storage nodes 150 within the chassis.

FIG. 2 is a block diagram showing a communications interconnect 170 andpower distribution bus 172 coupling multiple storage nodes 150.Referring back to FIG. 1, the communications interconnect 170 can beincluded in or implemented with the switch fabric 146 in someembodiments. Where multiple storage clusters 160 occupy a rack, thecommunications interconnect 170 can be included in or implemented with atop of rack switch, in some embodiments. As illustrated in FIG. 2,storage cluster 160 is enclosed within a single chassis 138. Externalport 176 is coupled to storage nodes 150 through communicationsinterconnect 170, while external port 174 is coupled directly to astorage node. External power port 178 is coupled to power distributionbus 172. Storage nodes 150 may include varying amounts and differingcapacities of non-volatile solid state storage 152 as described withreference to FIG. 1. In addition, one or more storage nodes 150 may be acompute only storage node as illustrated in FIG. 2. Authorities 168 areimplemented on the non-volatile solid state storages 152, for example aslists or other data structures stored in memory. In some embodiments theauthorities are stored within the non-volatile solid state storage 152and supported by software executing on a controller or other processorof the non-volatile solid state storage 152. In a further embodiment,authorities 168 are implemented on the storage nodes 150, for example aslists or other data structures stored in the memory 154 and supported bysoftware executing on the CPU 156 of the storage node 150. Authorities168 control how and where data is stored in the non-volatile solid statestorages 152 in some embodiments. This control assists in determiningwhich type of erasure coding scheme is applied to the data, and whichstorage nodes 150 have which portions of the data. Each authority 168may be assigned to a non-volatile solid state storage 152. Eachauthority may control a range of inode numbers, segment numbers, orother data identifiers which are assigned to data by a file system, bythe storage nodes 150, or by the non-volatile solid state storage 152,in various embodiments.

Every piece of data, and every piece of metadata, has redundancy in thesystem in some embodiments. In addition, every piece of data and everypiece of metadata has an owner, which may be referred to as anauthority. If that authority is unreachable, for example through failureof a storage node, there is a plan of succession for how to find thatdata or that metadata. In various embodiments, there are redundantcopies of authorities 168. Authorities 168 have a relationship tostorage nodes 150 and non-volatile solid state storage 152 in someembodiments. Each authority 168, covering a range of data segmentnumbers or other identifiers of the data, may be assigned to a specificnon-volatile solid state storage 152. In some embodiments theauthorities 168 for all of such ranges are distributed over thenon-volatile solid state storages 152 of a storage cluster. Each storagenode 150 has a network port that provides access to the non-volatilesolid state storage(s) 152 of that storage node 150. Data can be storedin a segment, which is associated with a segment number and that segmentnumber is an indirection for a configuration of a RAID (redundant arrayof independent disks) stripe in some embodiments. The assignment and useof the authorities 168 thus establishes an indirection to data.Indirection may be referred to as the ability to reference dataindirectly, in this case via an authority 168, in accordance with someembodiments. A segment identifies a set of non-volatile solid statestorage 152 and a local identifier into the set of non-volatile solidstate storage 152 that may contain data. In some embodiments, the localidentifier is an offset into the device and may be reused sequentiallyby multiple segments. In other embodiments the local identifier isunique for a specific segment and never reused. The offsets in thenon-volatile solid state storage 152 are applied to locating data forwriting to or reading from the non-volatile solid state storage 152 (inthe form of a RAID stripe). Data is striped across multiple units ofnon-volatile solid state storage 152, which may include or be differentfrom the non-volatile solid state storage 152 having the authority 168for a particular data segment.

If there is a change in where a particular segment of data is located,e.g., during a data move or a data reconstruction, the authority 168 forthat data segment should be consulted, at that non-volatile solid statestorage 152 or storage node 150 having that authority 168. In order tolocate a particular piece of data, embodiments calculate a hash valuefor a data segment or apply an inode number or a data segment number.The output of this operation points to a non-volatile solid statestorage 152 having the authority 168 for that particular piece of data.In some embodiments there are two stages to this operation. The firststage maps an entity identifier (ID), e.g., a segment number, inodenumber, or directory number to an authority identifier. This mapping mayinclude a calculation such as a hash or a bit mask. The second stage ismapping the authority identifier to a particular non-volatile solidstate storage 152, which may be done through an explicit mapping. Theoperation is repeatable, so that when the calculation is performed, theresult of the calculation repeatably and reliably points to a particularnon-volatile solid state storage 152 having that authority 168. Theoperation may include the set of reachable storage nodes as input. Ifthe set of reachable non-volatile solid state storage units changes theoptimal set changes. In some embodiments, the persisted value is thecurrent assignment (which is always true) and the calculated value isthe target assignment the cluster will attempt to reconfigure towards.This calculation may be used to determine the optimal non-volatile solidstate storage 152 for an authority in the presence of a set ofnon-volatile solid state storage 152 that are reachable and constitutethe same cluster. The calculation also determines an ordered set of peernon-volatile solid state storage 152 that will also record the authorityto non-volatile solid state storage mapping so that the authority may bedetermined even if the assigned non-volatile solid state storage isunreachable. A duplicate or substitute authority 168 may be consulted ifa specific authority 168 is unavailable in some embodiments.

With reference to FIGS. 1 and 2, two of the many tasks of the CPU 156 ona storage node 150 are to break up write data, and reassemble read data.When the system has determined that data is to be written, the authority168 for that data is located as above. When the segment ID for data isalready determined the request to write is forwarded to the non-volatilesolid state storage 152 currently determined to be the host of theauthority 168 determined from the segment. The host CPU 156 of thestorage node 150, on which the non-volatile solid state storage 152 andcorresponding authority 168 reside, then breaks up or shards the dataand transmits the data out to various non-volatile solid state storage152. The transmitted data is written as a data stripe in accordance withan erasure coding scheme. In some embodiments, data is requested to bepulled, and in other embodiments, data is pushed. In reverse, when datais read, the authority 168 for the segment ID containing the data islocated as described above. The host CPU 156 of the storage node 150 onwhich the non-volatile solid state storage 152 and correspondingauthority 168 reside requests the data from the non-volatile solid statestorage and corresponding storage nodes pointed to by the authority. Insome embodiments the data is read from flash storage as a data stripe.The host CPU 156 of storage node 150 then reassembles the read data,correcting any errors (if present) according to the appropriate erasurecoding scheme, and forwards the reassembled data to the network. Infurther embodiments, some or all of these tasks can be handled in thenon-volatile solid state storage 152. In some embodiments, the segmenthost requests the data be sent to storage node 150 by requesting pagesfrom storage and then sending the data to the storage node making theoriginal request.

In some systems, for example in UNIX-style file systems, data is handledwith an index node or inode, which specifies a data structure thatrepresents an object in a file system. The object could be a file or adirectory, for example. Metadata may accompany the object, as attributessuch as permission data and a creation timestamp, among otherattributes. A segment number could be assigned to all or a portion ofsuch an object in a file system. In other systems, data segments arehandled with a segment number assigned elsewhere. For purposes ofdiscussion, the unit of distribution is an entity, and an entity can bea file, a directory or a segment. That is, entities are units of data ormetadata stored by a storage system. Entities are grouped into setscalled authorities. Each authority has an authority owner, which is astorage node that has the exclusive right to update the entities in theauthority. In other words, a storage node contains the authority, andthat the authority, in turn, contains entities.

A segment is a logical container of data in accordance with someembodiments. A segment is an address space between medium address spaceand physical flash locations, i.e., the data segment number, are in thisaddress space. Segments may also contain meta-data, which enable dataredundancy to be restored (rewritten to different flash locations ordevices) without the involvement of higher level software. In oneembodiment, an internal format of a segment contains client data andmedium mappings to determine the position of that data. Each datasegment is protected, e.g., from memory and other failures, by breakingthe segment into a number of data and parity shards, where applicable.The data and parity shards are distributed, i.e., striped, acrossnon-volatile solid state storage 152 coupled to the host CPUs 156 (SeeFIG. 5) in accordance with an erasure coding scheme. Usage of the termsegments refers to the container and its place in the address space ofsegments in some embodiments. Usage of the term stripe refers to thesame set of shards as a segment and includes how the shards aredistributed along with redundancy or parity information in accordancewith some embodiments.

A series of address-space transformations takes place across an entirestorage system. At the top are the directory entries (file names) whichlink to an inode. Inodes point into medium address space, where data islogically stored. Medium addresses may be mapped through a series ofindirect mediums to spread the load of large files, or implement dataservices like deduplication or snapshots. Medium addresses may be mappedthrough a series of indirect mediums to spread the load of large files,or implement data services like deduplication or snapshots. Segmentaddresses are then translated into physical flash locations. Physicalflash locations have an address range bounded by the amount of flash inthe system in accordance with some embodiments. Medium addresses andsegment addresses are logical containers, and in some embodiments use a128 bit or larger identifier so as to be practically infinite, with alikelihood of reuse calculated as longer than the expected life of thesystem. Addresses from logical containers are allocated in ahierarchical fashion in some embodiments. Initially, each non-volatilesolid state storage unit 152 may be assigned a range of address space.Within this assigned range, the non-volatile solid state storage 152 isable to allocate addresses without synchronization with othernon-volatile solid state storage 152.

Data and metadata is stored by a set of underlying storage layouts thatare optimized for varying workload patterns and storage devices. Theselayouts incorporate multiple redundancy schemes, compression formats andindex algorithms. Some of these layouts store information aboutauthorities and authority masters, while others store file metadata andfile data. The redundancy schemes include error correction codes thattolerate corrupted bits within a single storage device (such as a NANDflash chip), erasure codes that tolerate the failure of multiple storagenodes, and replication schemes that tolerate data center or regionalfailures. In some embodiments, low density parity check (LDPC) code isused within a single storage unit. Reed-Solomon encoding is used withina storage cluster, and mirroring is used within a storage grid in someembodiments. Metadata may be stored using an ordered log structuredindex (such as a Log Structured Merge Tree), and large data may not bestored in a log structured layout.

In order to maintain consistency across multiple copies of an entity,the storage nodes agree implicitly on two things through calculations:(1) the authority that contains the entity, and (2) the storage nodethat contains the authority. The assignment of entities to authoritiescan be done by pseudo randomly assigning entities to authorities, bysplitting entities into ranges based upon an externally produced key, orby placing a single entity into each authority. Examples of pseudorandomschemes are linear hashing and the Replication Under Scalable Hashing(RUSH) family of hashes, including Controlled Replication Under ScalableHashing (CRUSH). In some embodiments, pseudo-random assignment isutilized only for assigning authorities to nodes because the set ofnodes can change. The set of authorities cannot change so any subjectivefunction may be applied in these embodiments. Some placement schemesautomatically place authorities on storage nodes, while other placementschemes rely on an explicit mapping of authorities to storage nodes. Insome embodiments, a pseudorandom scheme is utilized to map from eachauthority to a set of candidate authority owners. A pseudorandom datadistribution function related to CRUSH may assign authorities to storagenodes and create a list of where the authorities are assigned. Eachstorage node has a copy of the pseudorandom data distribution function,and can arrive at the same calculation for distributing, and laterfinding or locating an authority. Each of the pseudorandom schemesrequires the reachable set of storage nodes as input in some embodimentsin order to conclude the same target nodes. Once an entity has beenplaced in an authority, the entity may be stored on physical devices sothat no expected failure will lead to unexpected data loss. In someembodiments, rebalancing algorithms attempt to store the copies of allentities within an authority in the same layout and on the same set ofmachines.

Examples of expected failures include device failures, stolen machines,datacenter fires, and regional disasters, such as nuclear or geologicalevents. Different failures lead to different levels of acceptable dataloss. In some embodiments, a stolen storage node impacts neither thesecurity nor the reliability of the system, while depending on systemconfiguration, a regional event could lead to no loss of data, a fewseconds or minutes of lost updates, or even complete data loss.

In the embodiments, the placement of data for storage redundancy isindependent of the placement of authorities for data consistency. Insome embodiments, storage nodes that contain authorities do not containany persistent storage. Instead, the storage nodes are connected tonon-volatile solid state storage units that do not contain authorities.The communications interconnect between storage nodes and non-volatilesolid state storage units consists of multiple communicationtechnologies and has non-uniform performance and fault tolerancecharacteristics. In some embodiments, as mentioned above, non-volatilesolid state storage units are connected to storage nodes via PCIexpress, storage nodes are connected together within a single chassisusing Ethernet backplane, and chassis are connected together to form astorage cluster. Storage clusters are connected to clients usingEthernet or fiber channel in some embodiments. If multiple storageclusters are configured into a storage grid, the multiple storageclusters are connected using the Internet or other long-distancenetworking links, such as a “metro scale” link or private link that doesnot traverse the internet.

Authority owners have the exclusive right to modify entities, to migrateentities from one non-volatile solid state storage unit to anothernon-volatile solid state storage unit, and to add and remove copies ofentities. This allows for maintaining the redundancy of the underlyingdata. When an authority owner fails, is going to be decommissioned, oris overloaded, the authority is transferred to a new storage node.Transient failures make it non-trivial to ensure that all non-faultymachines agree upon the new authority location. The ambiguity thatarises due to transient failures can be achieved automatically by aconsensus protocol such as Paxos, hot-warm failover schemes, via manualintervention by a remote system administrator, or by a local hardwareadministrator (such as by physically removing the failed machine fromthe cluster, or pressing a button on the failed machine). In someembodiments, a consensus protocol is used, and failover is automatic. Iftoo many failures or replication events occur in too short a timeperiod, the system goes into a self-preservation mode and haltsreplication and data movement activities until an administratorintervenes in accordance with some embodiments.

As authorities are transferred between storage nodes and authorityowners update entities in their authorities, the system transfersmessages between the storage nodes and non-volatile solid state storageunits. With regard to persistent messages, messages that have differentpurposes are of different types. Depending on the type of the message,the system maintains different ordering and durability guarantees. Asthe persistent messages are being processed, the messages aretemporarily stored in multiple durable and non-durable storage hardwaretechnologies. In some embodiments, messages are stored in RAM, NVRAM andon NAND flash devices, and a variety of protocols are used in order tomake efficient use of each storage medium. Latency-sensitive clientrequests may be persisted in replicated NVRAM, and then later NAND,while background rebalancing operations are persisted directly to NAND.

Persistent messages are persistently stored prior to being transmitted.This allows the system to continue to serve client requests despitefailures and component replacement. Although many hardware componentscontain unique identifiers that are visible to system administrators,manufacturer, hardware supply chain and ongoing monitoring qualitycontrol infrastructure, applications running on top of theinfrastructure address virtualize addresses. These virtualized addressesdo not change over the lifetime of the storage system, regardless ofcomponent failures and replacements. This allows each component of thestorage system to be replaced over time without reconfiguration ordisruptions of client request processing.

In some embodiments, the virtualized addresses are stored withsufficient redundancy. A continuous monitoring system correlateshardware and software status and the hardware identifiers. This allowsdetection and prediction of failures due to faulty components andmanufacturing details. The monitoring system also enables the proactivetransfer of authorities and entities away from impacted devices beforefailure occurs by removing the component from the critical path in someembodiments.

FIG. 3 is a multiple level block diagram, showing contents of a storagenode 150 and contents of a non-volatile solid state storage 152 of thestorage node 150. Data is communicated to and from the storage node 150by a network interface controller (NIC) 202 in some embodiments. Eachstorage node 150 has a CPU 156, and one or more non-volatile solid statestorage 152, as discussed above. Moving down one level in FIG. 3, eachnon-volatile solid state storage 152 has a relatively fast non-volatilesolid state memory, such as nonvolatile random access memory (NVRAM)204, and flash memory 206. In some embodiments, NVRAM 204 may be acomponent that does not require program/erase cycles (DRAM, MRAM, PCM),and can be a memory that can support being written vastly more oftenthan the memory is read from. Moving down another level in FIG. 3, theNVRAM 204 is implemented in one embodiment as high speed volatilememory, such as dynamic random access memory (DRAM) 216, backed up byenergy reserve 218. Energy reserve 218 provides sufficient electricalpower to keep the DRAM 216 powered long enough for contents to betransferred to the flash memory 206 in the event of power failure. Insome embodiments, energy reserve 218 is a capacitor, super-capacitor,battery, or other device, that supplies a suitable supply of energysufficient to enable the transfer of the contents of DRAM 216 to astable storage medium in the case of power loss. The flash memory 206 isimplemented as multiple flash dies 222, which may be referred to aspackages of flash dies 222 or an array of flash dies 222. It should beappreciated that the flash dies 222 could be packaged in any number ofways, with a single die per package, multiple dies per package (i.e.multichip packages), in hybrid packages, as bare dies on a printedcircuit board or other substrate, as encapsulated dies, etc. In theembodiment shown, the non-volatile solid state storage 152 has acontroller 212 or other processor, and an input output (I/O) port 210coupled to the controller 212. I/O port 210 is coupled to the CPU 156and/or the network interface controller 202 of the flash storage node150. Flash input output (I/O) port 220 is coupled to the flash dies 222,and a direct memory access unit (DMA) 214 is coupled to the controller212, the DRAM 216 and the flash dies 222. In the embodiment shown, theI/O port 210, controller 212, DMA unit 214 and flash I/O port 220 areimplemented on a programmable logic device (PLD) 208, e.g., a fieldprogrammable gate array (FPGA). In this embodiment, each flash die 222has pages, organized as sixteen kB (kilobyte) pages 224, and a register226 through which data can be written to or read from the flash die 222.In further embodiments, other types of solid-state memory are used inplace of, or in addition to flash memory illustrated within flash die222.

Storage clusters 160, in various embodiments as disclosed herein, can becontrasted with storage arrays in general. The storage nodes 150 arepart of a collection that creates the storage cluster 160. Each storagenode 150 owns a slice of data and computing required to provide thedata. Multiple storage nodes 150 cooperate to store and retrieve thedata. Storage memory or storage devices, as used in storage arrays ingeneral, are less involved with processing and manipulating the data.Storage memory or storage devices in a storage array receive commands toread, write, or erase data. The storage memory or storage devices in astorage array are not aware of a larger system in which they areembedded, or what the data means. Storage memory or storage devices instorage arrays can include various types of storage memory, such as RAM,solid state drives, hard disk drives, etc. The storage units 152described herein have multiple interfaces active simultaneously andserving multiple purposes. In some embodiments, some of thefunctionality of a storage node 150 is shifted into a storage unit 152,transforming the storage unit 152 into a combination of storage unit 152and storage node 150. Placing computing (relative to storage data) intothe storage unit 152 places this computing closer to the data itself.The various system embodiments have a hierarchy of storage node layerswith different capabilities. By contrast, in a storage array, acontroller owns and knows everything about all of the data that thecontroller manages in a shelf or storage devices. In a storage cluster160, as described herein, multiple controllers in multiple storage units152 and/or storage nodes 150 cooperate in various ways (e.g., forerasure coding, data sharding, metadata communication and redundancy,storage capacity expansion or contraction, data recovery, and so on).

FIG. 4 depicts a storage node 150 sending an I/O command 404 to astorage unit 152, which verifies the I/O command 404 based on contentsof an accompanying signed token 406. The I/O command 404 could be acommand to read data from, or write data to the storage unit 152, e.g.involving the flash memory 206 or the NVRAM 204, or some other command.In some embodiments, the I/O command 404 could be a command to read orwrite data that is striped across the storage units 152 in the storagecluster 160. A signed token 406 accompanies or is associated with theI/O command 404. In some embodiments, the storage node 150 could sendthe I/O command 404 and the signed token 406, on behalf of the authority402, to the storage unit 152 via the communications interconnect 170shown in FIG. 2. Upon receiving the I/O command 404 and the associatedsigned token 406, the storage unit 152 verifies the I/O command 404,based on contents of the token 406. A verification module 408 in thestorage unit 152 performs this verification, and can be implemented assoftware, firmware, hardware, or combinations thereof. In someembodiments, the storage unit 152, using the verification module 408,determines the contents of the token 406 and verifies the I/O command404 without further communication from the storage unit 152 back tooriginators of the token 406 and the signature, i.e., withoutcommunicating to other storage nodes 150. As described further below,the token may be revocable with or without requiring furthercommunication from the storage unit 152.

FIG. 5 shows relationships of the token 406 to the I/O command 404, thestorage node 150, the authority 402 executing in the storage node 150,and signers 510 of the token 406 in some embodiments. Contents of thesigned token 406, in one embodiment as depicted, include a storage nodeidentifier 502, an authority identifier 504, an embedded signature 506,and a timestamp 508. Each token 406 is specific to an authority 402 andspecific to the storage node 150 in which the authority 402 resides orexecutes. The storage node identifier 502, in the token 406, could be anumber or a name identifying the storage node 150 in some embodiments.Similarly, the authority identifier 504 in the token 406 could be anumber or name identifying the authority 402. For example, the authority402 issuing the I/O command 404 in FIG. 5 is labeled (e.g., named) “A1”,and this name could be used as the authority identifier 504.

Still referring to FIG. 5, storage nodes 150, other than the storagenode executing the authority 402, are signers 510 of the token 406 insome embodiments. Each of the signers 510 is a storage node 150 or onauthority 402, in various embodiments, and the signers 510 are spreadacross or distributed among the storage nodes 150 of the storage cluster160. These signers 510 provide a signature (which could include multiplesignatures, in one embodiment), which is then embedded in the token 406.Signing algorithms, signing mechanisms, signatures and embeddedsignatures are well known, and suitable versions of these can beselected and applied in various embodiments. By signing the token 406,the signers 510 are indicating that they agree that the authority 402has ownership of data affected by the I/O command 404. This agreementcan be formed by a voting arrangement, among other possibilities. Thetimestamp 508 in the token 406 could indicate the time of creation ofthe token 406, the time of signing of the token 406, the time of sendingof the token 406, or some other time value associated with the I/Ocommand 404. There is a predefined validity time period or interval forthe timestamp 508, commencing when the timestamp 508 is written (i.e.,commencing with the value of the timestamp 508) in some embodiments. Thevalidity time for the token 406 expires at the end of the validity timeperiod or interval. Thus, upon expiration of the validity time periodtoken 406 is revoked. In some embodiments, token 406 may be revokedthrough alternative mechanisms, e.g., under direction of a storage node.It should be appreciated that the embodiments covers instances where thetoken 406 may be revoked with or without the need for communication toor from any storage nodes. In addition, while the embodiments provideone example where the token is revoked through a shared system featuresuch as time to avoid the need for any external communication concerningthe revocation, other shared system features may be integrated with theembodiments.

Referring back to FIG. 4, and with ongoing reference to FIG. 5, theverification module 408 checks the embedded signature 506 of the token406. For example, the embedded signature 506 could be encrypted, and theverification module 408 could decrypt the embedded signature 506 andcompare the decrypted value to an expected value. In some embodiments,the verification module 408 could decrypt the embedded signature 506,and compare the decrypted value to the storage node identifier 502 andthe authority identifier 504, looking for a match. The verificationmodule 408 also checks the timestamp 508, and looks to see if the tokenhas expired, e.g., compares the present time value to the timestamp 508and the validity time period or interval. The verification module 408can thus determine whether the I/O command 404 is valid, based onwhether the authority 402 and the storage node 150 have a right to issueI/O commands 404 pertaining to the data to be written to or read fromthe storage unit 152, whether the token 406 is properly signed, andwhether the token 406 is within the validity time period or interval orhas expired and is revoked. It should be appreciated that while theembodiments refer to a revocable token where the revocation is achievedwithout any external communication to or from any storage nodes, this isnot meant to be limiting. In some embodiments, the token may be revokedthrough a mechanism requiring the external communication.

FIG. 6 shows storage nodes 150 voting to replace an authority 402 insome embodiments. Such voting could take place if a storage node 150, oran authority 402, is unresponsive. Under these circumstances, thestorage cluster 160 continues to operate, as will be described withreference to FIG. 7. In the embodiment shown in FIG. 6, the storagenodes 150 are coupled to a voting unit 602. Voting mechanisms,algorithms and connections are well known, and suitable versions ofthese can be selected and applied in various embodiments. For example,the voting unit 602 could be distributed and redundant across thestorage nodes 150, so that the storage cluster 160 has a type of faulttolerance and can vote when one or more storage nodes 150 areunresponsive. The voting unit 602 is utilized by the signers 510 todetermine whether or not a token 406 should be signed, in someembodiments. The storage nodes from which the embedded signature 506 forthe signed token 406 originates form a witness quorum within the storagecluster 160. In some embodiments, the quorum of signers represents amajority of the plurality of storage nodes.

FIG. 7 shows assignment of an authority 402 to a new storage node 150,as a replacement authority 402. Continuing with the scenario developedin FIGS. 4-6, the left-most storage node 150 is shown with authorities402 named A1, A2 . . . A4, and the middle storage node 150 is shown ashaving authorities 402 named A5 . . . A8. User data corresponding with(e.g., owned by) the authority 402 named A1 is depicted as stripedacross the storage units 152 (e.g., data labeled “A1” in each of thestorage units 152), using erasure coding. Some of the storage units 152show user data corresponding to other authorities, such as A2 . . . AN.In this scenario, the authority 402 named “A1”, or the storage node 150that is executing this authority 402, is unresponsive or unreachable.However, the storage cluster still needs to access the user data ownedby this authority 402. The remaining storage nodes 150 vote, using thevoting unit 602 of FIG. 6, to replace the authority 402 named “A1”,i.e., to determine a replacement authority 402. The remaining storagenodes 150 determine that a new node 150 is a suitable location to whichto relocate the authority 402 named “A1”. The new storage node 150 couldbe an unused (e.g., spare, not yet allocated) storage node 150, or astorage node 150 that is currently in use and has one or more otherauthorities 402. The authority 402 is then relocated to the new storagenode 150, i.e., the replacement authority 402 is located in the newstorage node 150, and given ownership of the user data (formerly) ownedby the original authority 402 that is unresponsive or is located in anunresponsive storage node 150. The relocated or replacement authority402, in the new storage node 150, is depicted as owning the datacorresponding to the authority 402 named “A1” (see arrow pointing fromreplacement authority 402 to corresponding user data in the storage unit152 in the new storage node 150). This relocated or replacementauthority 402 can issue I/O commands 404, with signed tokens 406,pertaining to the user data over which it now has ownership. The newstorage node 150 thus acts as a replacement storage node 150, and therelocated authority 402 acts as a replacement authority 402. It shouldbe appreciated that the user data itself does not need to be movedduring this process, and remains intact in the storage units 152. Whenan authority 402 is relocated or replaced, the remaining storage nodes150 can vote, using the voting unit 602, to revoke any or all tokens 406issued by (or on behalf of) the authority 402 prior to relocation orreplacement in some embodiments. Revocation could be carried out bysending messages to the various storage units 152, so that theverification modules 408 are made aware of which tokens 406 are revoked.The remaining storage nodes 150 can vote to block communication from anauthority 402 being replaced, in some embodiments.

FIG. 8 is a flow diagram of a method for authorizing I/O commands, whichcan be practiced in the storage cluster of FIG. 1 and furtherembodiments thereof. Some or all of the actions in the method can beperformed by various processors, such as processors in storage nodes orprocessors in storage units. In an action 802, an I/O command isgenerated by an authority in a storage node. For example, the processorin a storage node could generate an I/O command on behalf of anauthority resident or executing in the storage node. The I/O commandcould pertain to data striped across storage units in the storagecluster, or data in NVRAM in a storage unit in some embodiments. In anaction 804, a token is generated responsive to the authority initiatingthe I/O command and the token is associated with the I/O command. Thetoken is specific to assignment of the authority and a storage node ofthe storage cluster. The token has a signature by storage nodes otherthan the storage node that has the authority for which the I/O commandis generated in some embodiments. The token may have a timestamp, anauthority identifier and/or a storage node identifier, among variouspossibilities as discussed above.

Still referring to FIG. 8, the I/O command and the signed token are sentfrom the storage node and authority to one or more storage units, in anaction 806. These could be sent as messages in some embodiments. The I/Ocommand is verified based on contents of the signed token in action 808,e.g., a signature confirming validity of the token. This verificationcould include checking to see if the time of receipt of the signed tokenis within a predetermined time validity period or interval of atimestamp in the signed token, checking the signature to confirmvalidity of the token, and so on. As noted above, the token is revocableand in some embodiments the token may be self-revoking, e.g., based on atime expiration as discussed above. The I/O command is performed by thestorage unit, upon successful verification. In a decision action 810, itis determined whether an authority or a storage node is unresponsive orunreachable. If none of the authorities or storage nodes is unresponsiveor unreachable, flow branches back to the action 802, for more I/Ocommands and repeats as described above. If an authority or a storagenode is unresponsive, flow proceeds to the action 812. In the action812, there is a vote to relocate or replace such an authority.Relocating or replacing an authority can be performed as discussed abovewith reference to FIG. 7 in some embodiments. Communication from theauthority being replaced is blocked, in an action 814. One or moretokens from the authority being replaced are revoked, in an action 816.The revocation of the one or more tokens may be without any furtherexternal communication to or from the storage nodes or storage units insome embodiments, as discussed above. Flow then proceeds back to theaction 802, to generate an I/O command (by one of the existingauthorities, and/or by the relocated or replacement authority).

It should be appreciated that the methods described herein may beperformed with a digital processing system, such as a conventional,general-purpose computer system. Special purpose computers, which aredesigned or programmed to perform only one function may be used in thealternative. FIG. 9 is an illustration showing an exemplary computingdevice which may implement the embodiments described herein. Thecomputing device of FIG. 9 may be used to perform embodiments of thefunctionality for a storage node or a non-volatile solid state storagein accordance with some embodiments. The computing device includes acentral processing unit (CPU) 901, which is coupled through a bus 905 toa memory 903, and mass storage device 907. Mass storage device 907represents a persistent data storage device such as a disc drive, whichmay be local or remote in some embodiments. The mass storage device 907could implement a backup storage, in some embodiments. Memory 903 mayinclude read only memory, random access memory, etc. Applicationsresident on the computing device may be stored on or accessed via acomputer readable medium such as memory 903 or mass storage device 907in some embodiments. Applications may also be in the form of modulatedelectronic signals modulated accessed via a network modem or othernetwork interface of the computing device. It should be appreciated thatCPU 901 may be embodied in a general-purpose processor, a specialpurpose processor, or a specially programmed logic device in someembodiments.

Display 911 is in communication with CPU 901, memory 903, and massstorage device 907, through bus 905. Display 911 is configured todisplay any visualization tools or reports associated with the systemdescribed herein. Input/output device 909 is coupled to bus 905 in orderto communicate information in command selections to CPU 901. It shouldbe appreciated that data to and from external devices may becommunicated through the input/output device 909. CPU 901 can be definedto execute the functionality described herein to enable thefunctionality described with reference to FIGS. 1-8. The code embodyingthis functionality may be stored within memory 903 or mass storagedevice 907 for execution by a processor such as CPU 901 in someembodiments. The operating system on the computing device may beMS-WINDOWS™, UNIX™, LINUX™, iOS™, CentOS™, Android™, Redhat Linux™,z/OS™, or other known operating systems. It should be appreciated thatthe embodiments described herein may be integrated with virtualizedcomputing system also.

Detailed illustrative embodiments are disclosed herein. However,specific functional details disclosed herein are merely representativefor purposes of describing embodiments. Embodiments may, however, beembodied in many alternate forms and should not be construed as limitedto only the embodiments set forth herein.

It should be understood that although the terms first, second, etc. maybe used herein to describe various steps or calculations, these steps orcalculations should not be limited by these terms. These terms are onlyused to distinguish one step or calculation from another. For example, afirst calculation could be termed a second calculation, and, similarly,a second step could be termed a first step, without departing from thescope of this disclosure. As used herein, the term “and/or” and the “/”symbol includes any and all combinations of one or more of theassociated listed items.

As used herein, the singular forms “a”, “an” and “the” are intended toinclude the plural forms as well, unless the context clearly indicatesotherwise. It will be further understood that the terms “comprises”,“comprising”, “includes”, and/or “including”, when used herein, specifythe presence of stated features, integers, steps, operations, elements,and/or components, but do not preclude the presence or addition of oneor more other features, integers, steps, operations, elements,components, and/or groups thereof. Therefore, the terminology usedherein is for the purpose of describing particular embodiments only andis not intended to be limiting.

It should also be noted that in some alternative implementations, thefunctions/acts noted may occur out of the order noted in the figures.For example, two figures shown in succession may in fact be executedsubstantially concurrently or may sometimes be executed in the reverseorder, depending upon the functionality/acts involved.

With the above embodiments in mind, it should be understood that theembodiments might employ various computer-implemented operationsinvolving data stored in computer systems. These operations are thoserequiring physical manipulation of physical quantities. Usually, thoughnot necessarily, these quantities take the form of electrical ormagnetic signals capable of being stored, transferred, combined,compared, and otherwise manipulated. Further, the manipulationsperformed are often referred to in terms, such as producing,identifying, determining, or comparing. Any of the operations describedherein that form part of the embodiments are useful machine operations.The embodiments also relate to a device or an apparatus for performingthese operations. The apparatus can be specially constructed for therequired purpose, or the apparatus can be a general-purpose computerselectively activated or configured by a computer program stored in thecomputer. In particular, various general-purpose machines can be usedwith computer programs written in accordance with the teachings herein,or it may be more convenient to construct a more specialized apparatusto perform the required operations.

A module, an application, a layer, an agent or other method-operableentity could be implemented as hardware, firmware, or a processorexecuting software, or combinations thereof. It should be appreciatedthat, where a software-based embodiment is disclosed herein, thesoftware can be embodied in a physical machine such as a controller. Forexample, a controller could include a first module and a second module.A controller could be configured to perform various actions, e.g., of amethod, an application, a layer or an agent.

The embodiments can also be embodied as computer readable code on anon-transitory computer readable medium. The computer readable medium isany data storage device that can store data, which can be thereafterread by a computer system. Examples of the computer readable mediuminclude hard drives, network attached storage (NAS), read-only memory,random-access memory, CD-ROMs, CD-Rs, CD-RWs, magnetic tapes, and otheroptical and non-optical data storage devices. The computer readablemedium can also be distributed over a network coupled computer system sothat the computer readable code is stored and executed in a distributedfashion. Embodiments described herein may be practiced with variouscomputer system configurations including hand-held devices, tablets,microprocessor systems, microprocessor-based or programmable consumerelectronics, minicomputers, mainframe computers and the like. Theembodiments can also be practiced in distributed computing environmentswhere tasks are performed by remote processing devices that are linkedthrough a wire-based or wireless network.

Although the method operations were described in a specific order, itshould be understood that other operations may be performed in betweendescribed operations, described operations may be adjusted so that theyoccur at slightly different times or the described operations may bedistributed in a system which allows the occurrence of the processingoperations at various intervals associated with the processing.

In various embodiments, one or more portions of the methods andmechanisms described herein may form part of a cloud-computingenvironment. In such embodiments, resources may be provided over theInternet as services according to one or more various models. Suchmodels may include Infrastructure as a Service (IaaS), Platform as aService (PaaS), and Software as a Service (SaaS). In IaaS, computerinfrastructure is delivered as a service. In such a case, the computingequipment is generally owned and operated by the service provider. Inthe PaaS model, software tools and underlying equipment used bydevelopers to develop software solutions may be provided as a serviceand hosted by the service provider. SaaS typically includes a serviceprovider licensing software as a service on demand. The service providermay host the software, or may deploy the software to a customer for agiven period of time. Numerous combinations of the above models arepossible and are contemplated.

Various units, circuits, or other components may be described or claimedas “configured to” perform a task or tasks. In such contexts, the phrase“configured to” is used to connote structure by indicating that theunits/circuits/components include structure (e.g., circuitry) thatperforms the task or tasks during operation. As such, theunit/circuit/component can be said to be configured to perform the taskeven when the specified unit/circuit/component is not currentlyoperational (e.g., is not on). The units/circuits/components used withthe “configured to” language include hardware—for example, circuits,memory storing program instructions executable to implement theoperation, etc. Reciting that a unit/circuit/component is “configuredto” perform one or more tasks is expressly intended not to invoke 35U.S.C. 112, sixth paragraph, for that unit/circuit/component.Additionally, “configured to” can include generic structure (e.g.,generic circuitry) that is manipulated by software and/or firmware(e.g., an FPGA or a general-purpose processor executing software) tooperate in manner that is capable of performing the task(s) at issue.“Configured to” may also include adapting a manufacturing process (e.g.,a semiconductor fabrication facility) to fabricate devices (e.g.,integrated circuits) that are adapted to implement or perform one ormore tasks.

The foregoing description, for the purpose of explanation, has beendescribed with reference to specific embodiments. However, theillustrative discussions above are not intended to be exhaustive or tolimit the invention to the precise forms disclosed. Many modificationsand variations are possible in view of the above teachings. Theembodiments were chosen and described in order to best explain theprinciples of the embodiments and its practical applications, to therebyenable others skilled in the art to best utilize the embodiments andvarious modifications as may be suited to the particular usecontemplated. Accordingly, the present embodiments are to be consideredas illustrative and not restrictive, and the invention is not to belimited to the details given herein, but may be modified within thescope and equivalents of the appended claims.

What is claimed is:
 1. A method for handling I/O (input/output) commandsin a storage cluster, performed by the storage cluster, the methodcomprising: sending an I/O command relating to storage of user dataacross storage nodes of a storage cluster, and a token associated to theI/O command, from a first storage node of the storage cluster to asecond storage node of the storage cluster, the token generatedresponsive to an authority having ownership of the user data initiatingthe sending; verifying, at the second storage node, the I/O command,based on contents of the token; and executing the I/O command, at thesecond storage node, based on the verifying.
 2. The method of claim 1,wherein the verifying based on the contents of the token comprises:verifying a signature in the token; and determining whether the tokenhas expired.
 3. The method of claim 1, further comprising: voting amongstorage nodes of the storage cluster to sign the token; and embedding asignature in the token, responsive to the voting.
 4. The method of claim1, wherein the sending the token comprises sending a token having astorage node identifier and a timestamp.
 5. The method of claim 1,wherein multiple chassis are connected to define the storage cluster. 6.The method of claim 1, further comprising: establishing a validity timeperiod of the token.
 7. The method of claim 1, wherein the verifyingbased on the contents of the token comprises: decrypting an embeddedsignature of the token; and comparing the decrypted embedded signatureto an expected value.
 8. A tangible, non-transitory, computer-readablemedia having instructions thereupon which, when executed by a processor,cause the processor to perform a method comprising: communicating an I/Ocommand and an associated token from one of a plurality of storage nodesof a storage cluster to a further one of the plurality of storage nodes,wherein the I/O command relates to storage of user data across theplurality of storage nodes, and the token indicates ownership of aportion of the user data affected by the I/O command, the tokengenerated responsive to an authority having ownership of the user datainitiating the sending; verifying the token, at the further one of theplurality of storage nodes; and performing the I/O command, at thefurther one of the plurality of storage nodes, responsive to theverifying.
 9. The computer-readable media of claim 8, wherein theverifying the token comprises: verifying a signature embedded in thetoken; and determining that the token has not expired.
 10. Thecomputer-readable media of claim 8, wherein the method furthercomprises: voting, among the plurality of storage nodes of the storagecluster, to sign the token; generating a signature; and embedding thesignature in the token.
 11. The computer-readable media of claim 8,further comprising: generating the token with contents including astorage node identifier and a timestamp, wherein the timestampestablishes a validity time period for the I/O command.
 12. Thecomputer-readable media of claim 8, wherein the method furthercomprises: generating the I/O command and the token for one of aplurality of authorities in the plurality of storage nodes, wherein eachof the plurality of authorities owns a range of the user data.
 13. Thecomputer-readable media of claim 8, wherein the verifying the tokencomprises: obtaining a storage node identifier from the token;decrypting an embedded signature of the token; and comparing thedecrypted embedded signature to the storage node identifier.
 14. Astorage cluster, comprising: a plurality of storage nodes, the pluralityof storage nodes having storage memory, and configurable to stripe userdata across the plurality of storage nodes and the storage memory; andthe plurality of storage nodes further configurable to: send an I/Ocommand with an associated token, from a first one of the plurality ofstorage nodes to a second one of the plurality of storage nodes, thetoken generated responsive to an authority having ownership of the userdata initiating the sending; verify the token and, as a result, the I/Ocommand, at the second one of the plurality of storage nodes; andexecute the I/O command, at the second one of the plurality of storagenodes, having verified the token.
 15. The storage cluster of claim 14,wherein to verify the token, the plurality of storage nodes areconfigurable to: verify a signature of the token; and determine, from atimestamp of the token, whether the token has expired.
 16. The storagecluster of claim 14, further comprising the plurality of storage nodesconfigurable to: vote to sign the token; and embed a signature in thetoken.
 17. The storage cluster of claim 14, wherein the token comprisesa storage node identifier and a timestamp.
 18. The storage cluster ofclaim 14, further comprising: the plurality of storage nodes having aplurality of authorities therein, each of the plurality of authoritiesowning a range of the user data; and the plurality of storage nodesconfigurable to generate the I/O command and the token specific to oneof the plurality of authorities in the storage cluster.
 19. The storagecluster of claim 14, wherein: the token has a timestamp that establishesa validity time period of the token; the token expires after thevalidity time period; and the token is revocable.
 20. The storagecluster of claim 14, wherein multiple chassis are connected to definethe storage cluster.